s 

378.106 
L72UMC 
1994 


June  1994 


v/iiicc  m  the  Legislative  Auditor 

State  of  Montana 


Report  to  the  Legislature 

EDP  Audit  Report 


LEA 


,,-»*       fro* 
%       '     i 


Xni?  La  j 


I 


The  University  of  Montana 

This  report  provides  information  regarding  the  general  controls 
over  the  university's  computer  center.   It  contains  recommenda- 
tions to  the  university  and  the  Board  of  Regents  for  improving 
controls  over  the  university's  electronic  data  processing 
environment.   These  recommendations  address: 

►  Improving  physical  security  and  electronic  access  controls. 

►  Establishing  formal  contingency  procedures. 

►  Defining  and  improving  user  services. 

►  Communicating  existing  system  development  policies  and 
procedures. 

►  Establishing  overall  computer  policies  and  procedures. 


Direct  comments/inquiries  to: 

Office  of  the  Legislative  Auditor 

Room  135,  State  Capitol 

PO  Box  201705 

Helena  Montana   59620-1705 


"STATE  DOCUMENTS  COLLECT! Oil 

SEP  -7  1934 

MONTANA  STATE  LIBRArSV 

1515  E-  6th  AVE. 
HELENA,  M0.N" 


93DP-38 


MONTANA  STATE  LIBRARY 

S  351.7232  L72umc  1994  c.1 

EDP  audit  report,  the  University  ot  Mont 


3  0864  00090389   1 


EDP  AUDITS 


Electronic  Data  Processing  (EDP)  audits  conducted  by  the  Office  of  the  Legislative  Auditor 
are  designed  to  assess  controls  in  an  EDP  environment.  EDP  controls  provide  assurance  over 
the  accuracy,  reliability,  and  integrity  of  the  information  processed.  From  the  audit  work, 
a  determination  is  made  as  to  whether  controls  exist  and  are  operating  as  designed.  In 
performing  the  audit  work,  the  audit  staff  uses  audit  standards  set  forth  by  the  United  States 
General  Accounting  Office. 

Members  of  the  EDP  audit  staff  hold  degrees  in  disciplines  appropriate  to  the  audit  process. 
Areas  of  expertise  include  business  and  public  administration  and  computer  science. 

EDP  audits  are  performed  as  stand-alone  audits  of  EDP  controls  or  in  conjunction  with 
financial-compliance  and/or  performance  audits  conducted  by  the  office.  These  audits  are 
done  under  the  oversight  of  the  Legislative  Audit  Committee  which  is  a  bicameral  and 
bipartisan  standing  committee  of  the  Montana  Legislature.  The  committee  consists  of  four 
members  of  the  Senate  and  four  members  of  the  House  of  Representatives. 


MEMBERS  OF  THE  LEGISLATIVE  AUDIT  COMMITTEE 

Senator  Greg  Jergeson,  Chairman  Representative  John  Cobb,  Vice  Chairman 

Senator  Gerry  Devlin  Representative  Ernest  Bergsagel 

Senator  Eve  Franklin  Representative  Linda  Nelson 

Senator  Tom  Keating  Representative  Robert  Pavlovich 


Office  of  the  Legislative  Auditor 

EDP  Audit 


The  University  of  Montana 


Members  of  the  audit  staff  involved  in  this  audit  were:   Brenda  Bokovoy 
and  Rich  McRae. 


STATE  OF  MONTANA 


^iiitt  xtf  the  Qzqhlntxbt  ^nititxxx 


STATE  CAPITOL 

PO  BOX  201705 

HELENA,  MONTANA  59620-1705 

406/444-3122 

FAX  406/444-3036 


LEGISLATIVE  AUDITOR: 
SCOTT  A.  SEACAT 

LEGAL  COUNSEL: 

JOHNW.  NORTHEY 


DEPUTY  LEGISLATIVE  AUDITORS: 

MARYBRYSON 
Operations  and  EDP  Audit 

JAMES  GILLETT 
Financial-Compliance  Audit 

JIM  PELLEGRINI 
Performance  Audit 


June  1994 


The  Legislative  Audit  Committee 
of  the  Montana  State  Legislature: 

This  report  is  our  EDP  audit  of  general  controls  relating  to  the  university's 
centralized  data  processing  center.  We  reviewed  the  general  controls  over  Computing 
and  Information  Services  at  The  University  of  Montana.  This  report  contains 
recommendations  for  improving  EDP  controls  at  the  center.  Our  findings  address 
improving  physical  and  electronic  access  security,  system  development  services,  and 
organizational  controls.  Written  responses  to  our  audit  recommendations  are  included 
in  the  back  of  the  audit  report. 

We  thank  The  University  of  Montana  for  their  cooperation  and  assistance 
throughout  the  audit. 


Respectfully  submitted 


Scott  A.  Seacat 
Legislative  Auditor 
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Report  Summary 


Introduction 


Our  audit  evaluated  electronic  data  processing  (EDP)  general 
controls  at  The  University  of  Montana's  Computing  and  Infor- 
mation Services  (CIS)  facility.  We  examined  procedures  within 
the  mainframe  environment  which  ensure  computer  processing 
activities  are  controlled.  A  discussion  of  general  controls  and  the 
objectives  and  scope  of  this  audit  are  discussed  in  Chapter  I  of 
the  report. 


General  Controls 


We  found  the  general  controls  over  the  university's  mainframe 
processing  center  provide  for  controlled  application  processing. 
However,  we  identified  physical  security  weaknesses  which 
could  compromise  the  university's  ability  to  provide  continuous 
processing  services.  We  also  noted  weaknesses  which  could 
compromise  application  data  integrity  and  reduce  effectiveness 
of  CIS  support  services  provided  to  computer  users. 


Physical  Security 


Physical  security  controls  provide  security  against  accidental  loss 
or  destruction  of  data  and  program  files  or  equipment  and  ensure 
continuous  operation  of  EDP  functions.   Physical  security 
controls  include:  safeguard  of  files,  programs  and  documenta- 
tion; physical  safeguard  of  the  computer  facility;  and  a  plan  or 
method  to  ensure  continuity  of  operations  following  major 
destruction  of  files  or  hardware  breakdown. 


The  University  Should 
Establish  a  Disaster 
Recovery  Plan 


Computing  and  Information  Services  does  not  have  formal 
disaster  recovery  procedures  to  return  computing  services  to 
normal  operations  following  a  disaster.   An  effective  disaster 
recovery  plan  should  allow  management  to  restore  computing 
operations  in  a  set  time  and  minimize  losses. 


Industry  standards  suggest  management  develop  formal  proce- 
dures to  efficiently  recover  computer  processing  activities  to 
normal  operations  following  a  disaster.   Without  a  formal  disaster 
recovery  plan,  the  university  may  be  unable  to  process 
accounting  transactions,  pay  employees,  or  process  student 
enrollment  records. 
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Backup  Software, 
Programs  and  Data  Should 
be  Stored  Off-Site 


We  reviewed  CIS  procedures  which  ensure  software  and  data  are 
backed  up  regularly  and  stored  in  a  secure  location  to  prevent 
accidental  loss.   We  determined  CIS  employees  stopped  storing 
backup  cartridges  off  site  when  storage  space  was  no  longer 
available. 


Industry  standards  suggest  management  store  backup  copies  of 
system  software  and  application  programs  and  data  at  a  secure 
off-site  location.   Our  review  of  CIS  data  storage  procedures 
indicates  the  university  should  establish  higher  priority  for  a 
permanent  off-site  storage  location. 


Electronic  Access 
Controls 


Access  controls  provide  electronic  safeguards  designed  to  protect 
computer  system  resources.   Logon  IDs  and  passwords  control 
access  to  the  university's  operating  system,  computer  programs, 
and  data.  System  and  application  programmers  have  the  highest 
degree  of  technical  expertise  in  the  computer  facility  and, 
therefore,  play  an  important  role  in  maintaining  the  application. 
However,  application  owners  have  primary  responsibility  for 
maintaining  adequate  controls.   Without  controls,  system  and 
application  programmers  may  conceal  changes  to  programs  and 
data. 


The  university  uses  VAX/VMS  operating  system  software  to 
control  electronic  access  to  the  operating  system,  application 
programs,  and  data  stored  on  the  mainframe  computer.   We 
reviewed  access  security  established  through  VAX/VMS  and 
identified  areas  where  CIS  should  improve  access  controls.   Our 
findings  are  discussed  in  Chapter  II  and  summarized  below. 


Technical  Support 
Employee  Access  Should 
be  Limited 


We  found  six  CIS  employees,  in  addition  to  the  security  officer, 
have  unlimited  access  (which  includes  read,  write,  and  delete)  to 
the  mainframe  operating  system.   Although  the  employees  per- 
form technical  support  duties,  the  employees  only  require  access 
to  specific  operating  system  files.  To  perform  job  duties, 
employees  do  not  need  write  access  to  all  operating  system  files. 
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Industry  standards  suggest  management  limit  access  to  operating 
system  files  and  programs  to  individuals  who  require  access. 
Although  the  security  officer  reviews  system  reports  which 
identify  user  activities,  employees  with  security  privileges  could 
change  operating  system  files  or  accidentally  remove  files.   We 
believe  CIS  should  review  technical  support  employee  access 
privileges  to  identify  and  evaluate  associated  risks. 


Programmer  Access  The  university  processes  several  mainframe  applications  includ- 

ing Banner,  CUFS,  and  the  payroll/personnel  system.  These 
applications  process  student  information,  budget  and  accounting 
data,  and  employee  payroll  records,  respectively.   During  our 
review,  we  determined  programmers  have  unrestricted  and 
unlogged  access  to  the  Banner,  CUFS,  and  payroll/personnel 
application  production  programs  and/or  data.   We  found  five 
programmers  have  unlimited  access  to  Banner  production  pro- 
grams and  data. 

Industry  standards  suggest  management  restrict  programmer 
access  to  production  programs  and  data.   Unrestricted  access 
allows  programmers  to  change  student  enrollment  data,  grades, 
accounts  receivable,  employee  payroll  data,  and/or  accounting 
transactions  without  authorization. 

Programmers  indicated  they  require  access  to  correct  transaction 
entry  errors  or  programming  code.  The  programmers  noted  test- 
ing procedures  do  not  always  detect  improper  coding.   We 
believe  the  university  could  limit  programmer  access  to  produc- 
tion programs  and  data  without  reducing  programmer  perfor- 
mance. 

We  discussed  our  findings  with  CIS  employees.   We  determined 
CIS  reviewed  and  limited  programmer  access  to  Banner  produc- 
tion programs  and  data  after  we  brought  our  concerns  to  their 
attention.   However,  we  believe  the  university  should  implement 
procedures  to  restrict  programmer  access  to  all  production 
programs  and  data. 
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Organizational  Controls 


Organizational  controls  provide  for  effective  operation,  structur- 
ing, and  management  of  computer  center  operations  and 
services.  Computing  and  Information  Services'  (CIS)  primary 
function  is  to  provide  computing  service  to  campus  users. 
Services  include  installing  software  and  hardware,  problem 
resolution,  mainframe  processing,  and  personal  computer  repair 
and  maintenance.   We  found  CIS  operations  provide  effective 
and  reliable  mainframe  processing  service  to  computer  users. 
However,  based  on  responses  to  our  user  survey  and  additional 
audit  procedures,  we  noted  areas  where  CIS  could  improve 
services  to  computer  users. 


User  Support  Services 
Should  be  Reviewed, 
Defined,  and 
Communicated 


We  surveyed  100  university  employees  to  determine  user 
satisfaction  with  services  provided  by  CIS.   Fifty-seven 
employees  responded  to  our  survey.  Thirteen  employees 
indicated  they  were  not  aware  of  computing  services  CIS 
provides  and  did  not  know  who  to  contact  for  computing 
assistance.   Survey  respondents  also  indicated  they  requested  but 
did  not  receive  assistance  from  CIS  for  computer  purchases  or 
installation. 


Our  survey  results  indicate  CIS  should  review  and  revise  its 
process  for  providing  computing  support  to  campus  departments. 
We  believe  CIS  should  establish  procedures  to  ensure  computer 
specialists  are  accountable  for  support  services  they  provide  to 
campus  departments.  Defined  services  will  provide  guidance  to 
computer  users  and  promote  informed  purchases  of  compatible 
hardware  and  software. 


Performance  Evaluations 


We  determined  CIS  employees  have  not  received  performance 
evaluations  in  accordance  with  university  policy.   We  reviewed 
personnel  files  for  ten  CIS  employees  and  found  no  employees 
have  received  annual  performance  evaluations  within  the  last 
two  years.  Six  of  the  ten  employees  have  never  received 
performance  evaluations. 


University  policy  requires  supervisors  to  evaluate  and  document 
employee  work  performance  at  least  once  per  year.   Annual 
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performance  evaluations  provide  the  employee  an  opportunity  to 
assess  progress  and  improve  performance.   Evaluations  also  allow 
management  to  monitor  employee  performance,  make  sugges- 
tions for  improvement,  and  support  decisions  regarding 
advancement,  demotion,  or  termination. 


Summary  The  issues  we  identified  during  this  audit  indicate  the  Board  of 

Regents  should  provide  computing  operation  guidance  in  accor- 
dance with  state  law.   Section  20-25-301(16),  MCA,  which  refers 
to  section  2-15-114,  MCA,  requires  the  Board  of  Regents  to  be 
".  .  .  responsible  for  assuring  an  adequate  level  of  security  for  all 
data  and  information  technology  resources  within  the  university 
system  and  shall.  .  .(4)  ensure  internal  evaluations  of  the  security 
program  for  data  and  information  technology  resources  are 
conducted." 

Our  findings  in  this  report  address:  incomplete  contingency 
planning;  electronic  access  to  operating  system  and  application 
software;  undefined  computing  support  services;  unsupported 
department  billings  for  repair  and  maintenance;  and  no 
procedures  to  ensure  employees  receive  annual  performance 
evaluations.  The  Board  of  Regents  should  establish  policies 
which  address  safeguarding  data  and  information  technology 
resources  in  the  university  system,  including  mainframe  and 
microcomputer  policies. 
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Introduction 


We  performed  an  Electronic  Data  Processing  (EDP)  audit  of  The 
University  of  Montana's  Computing  and  Information  Services 
facility.   We  reviewed  the  university's  general  controls  existing 
within  the  data  processing  environment. 


General  controls  are  a  component  of  the  overall  internal  control 
environment  of  computer-based  applications.   Data  processing 
general  controls  are  designed  to  ensure  computer  programs  work 
consistently  and  properly;  data  files  and  resources  are  accessed 
only  as  authorized;  and  the  entire  data  processing  operation  is 
adequately  protected  to  ensure  continued  operation  during 
normal  and  contingency  situations. 


EDP  Audit  General 
Controls 


An  EDP  audit  involves  a  review  of  management's  internal 
controls  implemented  to  protect  assets  and  limit  losses.   In  an 
automated  environment  the  procedures  for  reviewing  controls 
are  different  from  those  used  in  a  manual  environment.   How- 
ever, the  objective  of  ensuring  the  reliability  of  controls  is  still 
the  same.   A  general  control  review  includes  an  examination  of 
the  following  controls: 

Organizational  -  apply  to  the  structure  and  management  of  the 
computing  and  information  services  facility.   Specific  types  of 
organization  controls  include  segregation  of  duties,  assignment  of 
responsibilities,  rotation  of  duties,  and  supervision. 

Procedural  -  operating  standards  and  procedures  which  ensure 
the  reliability  of  computer  processing  results  and  protect  against 
processing  errors. 

Hardware  and  Software  -  controls  within  the  operating  system 
software  and  hardware  which  monitor  and  report  system  error 
conditions. 

System  Development  -  oversight  and  supervisory  controls 
imposed  on  development  projects.   Controls  include  feasibility 
studies,  development,  testing  and  implementation,  documenta- 
tion, and  maintenance. 

Physical  Security  -  physical  site  controls  including  security  over 
access  to  the  computer  facility,  protection  devices  such  as  smoke 
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alarms  and  sprinkler  systems,  and  disaster  prevention  and 
recovery  plans. 

Electronic  Access  -  controls  which  allow  or  disallow  user  access 
to  electronically  stored  information  such  as  data  files  and  appli- 
cation programs. 


Background 


The  University  of  Montana  is  a  state  funded,  liberal  arts 
university  established  in  1893.   With  a  current  enrollment  of 
approximately  10,600  students  the  university  comprises  a  College 
of  Arts  and  Sciences  and  seven  professional  schools:   Business 
Administration,  Education,  Fine  Arts,  Forestry,  Journalism, 
Law,  and  Pharmacy  and  Allied  Health  Sciences.   The  university 
is  a  part  of  the  Montana  University  System,  which  includes  six 
universities  and  colleges  and  total  enrollment  of  approximately 
26,500  students. 


Computing  and  Information  Services  (CIS)  supports  instruc- 
tional, research,  and  administrative  activities,  by  providing 
computing  and  electronic  communication  facilities  and  services 
to  campus  employees  and  students.   CIS  is  organized  into  four 
major  functions  managed  by  a  central  administrative  staff. 
These  functions  include:  Administrative  Information  Systems 
Development  Services,  Computing  and  Network  Services, 
Electronic  Maintenance  Services,  and  Electronic  Communication 
Services. 


CIS  mainframe  operations  are  based  around  Digital  Equipment 
Corporation  (DEC)  computer  systems  which  serve  both  academic 
users  and  support  offices.   The  university  maintains  several 
locally  developed  mainframe  applications  including  the  univer- 
sity's personnel-payroll  system.  Commercially  developed 
systems  operating  on  the  mainframe  include  the  College  and 
University  Financial  System  (CUFS)  and  the  Banner  Student 
Information  System.   Purchased  in  1985,  CUFS  supports  the 
university's  financial  management  and  reporting  activities 
including  purchasing  and  grant  management.   In  1988  the 
university  purchased  the  Banner  system,  which  tracks  student 
information  including  recruitment,  admissions,  registration, 
financial  aid,  student  billing,  retention,  and  graduation. 
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Organization  of  Report 


We  organized  the  report  into  four  chapters.   Chapter  I  contains 
the  introduction,  background  information,  and  audit  objectives. 
Chapter  II  discusses  physical  security  over  the  computer  center 
and  electronic  access  to  the  mainframe  operating  system  soft- 
ware.  Chapter  III  provides  our  findings  related  to  system 
development  services.   Finally,  chapter  IV  includes  recommend- 
ations for  improving  organizational  controls  based  on  survey 
responses  from  campus  computer  users. 


Audit  Objectives 


The  objective  of  this  EDP  audit  was  to  determine  the  adequacy 
of  general  controls  specific  to  The  University  of  Montana's 
Computing  and  Information  Services  (CIS)  facility. 


Audit  Scope  and  Meth- 
odology 


The  audit  was  conducted  in  accordance  with  government  audit 
standards.   We  compared  existing  general  controls  against  criteria 
established  by  the  American  Institute  of  Certified  Public 
Accountants  (AICPA),  General  Accounting  Office  (GAO),  and 
the  EDP  industry. 


We  reviewed  The  University  of  Montana's  general  controls 
related  to  the  Computing  and  Information  Services  (CIS)  main- 
frame environment.   The  mainframe  computer  processes  several 
applications  including  the  Banner  Student  Information  System, 
College  and  University  Financial  System  (CUFS),  and  the 
university  payroll  system.   We  interviewed  CIS  personnel  to  gain 
an  understanding  of  the  hardware  and  software  environment  at 
the  university.   We  also  examined  documentation  to  supplement 
and  confirm  information  obtained  through  interviews. 

We  examined  procedures  within  the  mainframe  environment 
which  ensure  computer  processing  activities  are  controlled.  For 
example,  we  determined  mainframe  equipment  is  maintained  in 
a  secured  area  and  access  is  limited  to  authorized  personnel.  We 
also  reviewed  job  control  procedures  to  help  ensure  integrity  of 
all  system  processing. 
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Controls  over  centralized  operations  are  supplemented  by 
controls  established  by  computer  users.   We  did  not  review 
general  controls  over  microcomputers  established  by  university 
employees  outside  the  CIS  function. 


Compliance 


We  determined  compliance  with  applicable  state  laws  and  rules 
and  Montana  Operations  Manual  policies.   Except  as  discussed 
on  pages  5,  12  and  20,  we  found  The  University  of  Montana  to 
be  in  compliance  with  applicable  laws  and  state  policy. 


Summary 


In  conclusion,  we  found  the  general  controls  provide  for 
controlled  application  processing  on  the  mainframe  computer 
system.   However,  the  physical  security  weaknesses  we  identified 
could  compromise  the  university's  ability  to  provide  continuous 
processing  services.   We  also  noted  weaknesses  which  could 
compromise  application  data  integrity  and  reduce  effectiveness 
of  CIS  support  services  provided  to  computer  users. 
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Introduction 


The  university's  mainframe  computer  center  is  located  in  the 
basement  of  a  campus  building.   Academic  and  administrative 
employees  and  students  process  application  programs  and  data 
stored  on  the  mainframe  through  personal  computers  and  termi- 
nals located  at  various  campus  departments  or  computer  labs. 
This  chapter  discusses  our  review  of  Computing  and  Information 
Services'  procedures  which  ensure  physical  security  and 
electronic  access  over  mainframe  hardware,  software,  and  data 
are  controlled. 


Physical  Security 
Controls 


Physical  security  controls  provide  security  against  accidental  loss 
or  destruction  of  data  and  program  files  or  equipment  and  ensure 
continuous  operation  of  EDP  functions.   Physical  security 
controls  include:   safeguard  of  files,  programs  and  documenta- 
tion; physical  safeguard  of  the  computer  facility;  and  a  plan  or 
method  to  ensure  continuity  of  operations  following  major 
destruction  of  files  or  hardware  breakdown. 


We  reviewed  existing  physical  controls  in  place  at  the  Computing 
and  Information  Services  facility.   We  noted  CIS  installed 
computer  hardware  on  a  raised  floor,  smoke  alarms  function 
properly,  air  conditioning  maintains  controlled  computer  room 
temperature,  and  the  power  supply  meets  computing  equipment 
needs.   However,  we  noted  instances  where  CIS  could  improve 
physical  controls  over  computer  operations.   These  issues  are 
discussed  in  the  following  sections. 


The  University  Should 
Establish  a  Disaster 
Recovery  Plan 


Computing  and  Information  Services  does  not  have  formal 
disaster  recovery  procedures  to  return  computing  services  to 
normal  operations  following  a  disaster.   An  effective  disaster 
recovery  plan  should  allow  management  to  restore  computing 
operations  in  a  set  time  and  minimize  losses. 

Industry  standards  suggest  management  develop  formal  proce- 
dures to  efficiently  recover  computer  processing  activities  to 
normal  operations  following  a  disaster.   The  Montana  Operations 
Manual  (MOMs)  section  1-0240.00  outlines  agency 
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responsibilities  regarding  disaster  recovery  which  include 
assigning  recovery  team  member  responsibilities;  assessing 
information  and  resource  requirements  necessary  to  maintain 
applications;  and  determining  alternate  procedures  which  may  be 
necessary  if  recovery  cannot  be  completed  timely. 

A  disaster  recovery  plan  may  include  but  is  not  limited  to: 

An  inventory  of  current  applications,  operating  system 
programs,  telecommunications  programs  or  networks,  and 
hardware. 

An  analysis  to  determine  application  significance  and 
impact  of  loss. 

An  analysis  to  determine  application  recovery  priority. 

Selecting  a  disaster  recovery  method  depending  on  how 
long  the  organization  can  operate  without  processing, 
management's  backup  procedures,  and  cost. 

Identification,  involvement,  and  commitment  of  employees 
responsible  for  operating  applications. 

Definition  of  application  requirements  including  personnel, 
hardware,  system  support  programs,  communications,  data, 
special  forms,  etc. 

Documented  and  tested  recovery  procedures  allow  normal  opera- 
tions to  resume  as  quickly  as  possible  following  a  disaster. 
Without  a  formal  disaster  recovery  plan,  the  university  may  be 
unable  to  process  accounting  transactions,  pay  employees,  or 
process  student  enrollment  records. 


Recommendation  #1 

We  recommend  the  university  establish,  test,  and  document 
a  formal  disaster  recovery  plan. 
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Uninterruptable  Power 
Supply 


The  Computing  and  Information  Services  facility  (CIS)  does  not 
have  an  uninterruptable  power  supply  (UPS)  installed  for  its 
mainframe  computing  system.   During  a  power  failure,  a  UPS 
maintains  temporary  power  and  allows  personnel  to  complete  an 
orderly  shutdown  of  computer  hardware.   These  devices  are 
usually  battery  equipped  to  sustain  computer  operations  for  at 
least  15  minutes  or  may  be  connected  to  a  backup  generator  for 
continued  operation. 


Industry  standards  suggest  management  implement  physical 
security  controls  to  protect  computer  hardware  from  damage 
caused  by  power  fluctuations  or  failure.   The  university  uses  a 
power  conditioner  to  reduce  hardware  damage  during  sudden 
power  changes.   However  the  power  conditioner  does  not 
prevent  hardware  shutdown  during  complete  power  outages.   As 
a  result,  the  university  could  sustain  computer  application 
production  processing  errors.   A  controlled  system  shutdown 
prevents  unreliable  processing  results  and  promotes  efficient 
restoration  of  computing  operations. 

We  determined  CIS  has  experienced  over  20  power  outages 
during  the  twelve  months  ended  February  28,  1994.   The  power 
outages  ranged  between  five  minutes  to  several  hours.   A  CIS 
official  indicated  once  power  is  restored,  it  takes  about  45 
minutes  to  return  the  mainframe  computer  to  full  operating 
capacity.   As  a  result,  university  employees  are  unable  to  process 
accounting  transactions,  payroll,  or  student  records. 

A  CIS  official  estimated  complete  power  outages  cause  between 
seven  to  fifteen  hours  of  downtime  per  year.   Because 
continuous  computer  processing  is  critical  for  university  opera- 
tions, we  believe  the  university  should  evaluate  purchasing  a 
UPS.   We  estimate  the  university  could  purchase  a  UPS  for 
$42,000  to  $48,000. 
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Recommendation  #2 

We  recommend  the  university  evaluate  purchasing  an  alter- 
native power  backup  system  for  the  Computing  and  Infor- 
mation Services  computing  center. 


CIS  Should  Implement 
Existing  Physical  Security 
Controls 


We  reviewed  physical  controls  within  the  computer  center  to 
determine  if  mainframe  equipment  and  employees  are  protected 
from  hazards  such  as  fire,  flood,  or  other  catastrophe.   We 
determined  CIS  regularly  inspects  fire  extinguishers,  but 
employees  are  not  trained  in  how  and  when  to  use  them.   We  also 
determined  CIS  has  disconnected  an  electronic  device  which 
monitors  computer  room  temperature  and  noise  level.   The 
electronic  device  can  place  an  emergency  telephone  call  to  alert 
employees  if  the  computer  room  is  too  warm  or  becomes  quiet. 
These  conditions  may  indicate  power  failure  or  fire  within  the 
computer  center. 


Industry  standards  suggest  management  implement  cost-effective 
controls  to  prevent  or  limit  damage  to  computer  equipment 
caused  by  excessive  heat  or  fire.   Because  these  controls  are 
already  available  at  minimal  or  no  cost,  CIS  should  implement 
these  safeguards. 

We  also  noted  CIS  stores  halon  tanks  on  a  storage  shelf  in  the 
computer  room.   Halon  is  a  toxic  chemical  gas  which  eliminates 
oxygen  during  a  fire.   A  CIS  employee  noted  the  tanks  were 
installed  at  one  time  throughout  the  computer  room  to  extinguish 
fire.   However,  CIS  does  not  intend  to  reinstall  the  tanks  because 
halon  is  being  phased  out  of  production.   Therefore,  the  univer- 
sity should  dispose  of  its  halon  tanks  to  reduce  risk  of  injury  to 
individuals. 
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Recommendation  #3 

We  recommend  the  university: 

A.  Implement  cost-effective  controls  to  prevent  or  limit 
damage  to  computer  center  equipment. 

B.  Remove  and  properly  dispose  of  the  computer  center 
halon  tanks. 


Backup  Software,  Pro- 
grams and  Data  Should  be 
Stored  Off  Site 


We  reviewed  CIS  procedures  which  ensure  software  and  data  are 
backed  up  regularly  and  stored  in  a  secure  location  to  prevent 
accidental  loss.   Each  week,  CIS  operations  personnel  back  up  all 
mainframe  system  software  and  application  programs  cartridges. 
Although  we  noted  employees  regularly  back  up  software  and 
data,  during  our  initial  observation  we  determined  the  employees 
did  not  store  the  cartridges  in  an  off-site  location. 


CIS  employees  stopped  storing  backup  cartridges  off  site  when 
storage  space  was  no  longer  available.   Employees  located  and 
began  using  another  campus  storage  facility  but  determined  it 
was  too  warm  and  dirty.   We  observed  the  current  storage 
facility  on  two  different  occasions.   After  our  initial  review, 
employees  installed  air  conditioning  to  lower  the  room  tempera- 
ture.  During  our  second  observation,  we  noted  CIS  employees 
had  stored  backup  information  at  the  facility  after  improving  the 
environmental  conditions. 

Industry  standards  suggest  management  store  backup  copies  of 
system  software  and  application  programs  and  data  at  a  secure 
off-site  location.   Unless  backup  copies  are  stored  off  site,  the 
university  could  lose  software,  application  programs  and  data  at 
the  computer  center  due  to  fire,  water  damage,  or  other  reasons. 

Our  review  of  CIS  data  storage  procedures  indicates  the  univer- 
sity should  establish  higher  priority  for  a  permanent  off-site 
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storage  location.   We  believe  documented  policies  and  procedures 
will  ensure  adequate  and  continued  physical  safeguarding  of 
back-up  software,  programs,  and  data. 


Recommendation  #4 

We  recommend  the  university  establish  policies  and  proce- 
dures to  ensure  backup  information  is  consistently  stored 
off  site  in  a  secure  location. 


Electronic  Access  Access  controls  provide  electronic  safeguards  designed  to  protect 

Controls  computer  system  resources.   Logon  IDs  and  passwords  control 

access  to  the  university's  operating  system,  computer  programs, 
and  data.   System  and  application  programmers  have  the  highest 
degree  of  technical  expertise  in  the  computer  facility  and, 
therefore,  play  an  important  role  in  maintaining  the  application. 
However,  application  owners  have  primary  responsibility  for 
maintaining  adequate  controls.   Without  controls,  system  and 
application  programmers  may  conceal  changes  to  programs  and 
data. 

Proper  access  controls  prevent  and  detect  deliberate  or  accidental 
errors  caused  by  improper  use  or  unauthorized  manipulation  of 
data,  programs,  and/or  computer  resources.    A  security  officer 
writes  rules  which  limit  access  to  specific  areas.   Limited  access 
based  on  job  duties  prevents  users  from  inadvertently  or  will- 
fully executing  programs  or  changing  data  unrelated  to  their  job. 

The  university  uses  VAX/VMS  operating  system  software  to 
control  electronic  access  to  the  operating  system,  application 
programs,  and  data  stored  on  the  mainframe  computer. 
VAX/VMS  controls  access  through  electronic  rules  which  allow 
or  prevent  user  access.   In  addition,  the  university  controls  access 
to  the  Banner  and  CUFS  applications  through  security  programs 
which  control  access  to  programs,  data,  and  specific  screens.   We 
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reviewed  access  security  established  through  VAX/VMS  and 
identified  areas  where  CIS  should  improve  access  controls.   Our 
findings  are  discussed  in  the  following  sections. 


Technical  Support 
Employee  Access  Should 
be  Limited 


We  found  six  CIS  employees,  in  addition  to  the  security  officer, 
have  unlimited  access  (which  includes  read,  write,  and  delete)  to 
the  mainframe  operating  system.   Although  the  employees 
perform  technical  support  duties,  the  employees  only  require 
access  to  specific  operating  system  files.   For  example,  one 
technical  support  programmer  maintains  Banner  application 
security  and  performs  related  VMS  software  maintenance.   To 
perform  job  duties,  employees  do  not  need  write  access  to  all 
operating  system  files. 


Industry  standards  suggest  management  limit  access  to  operating 
system  files  and  programs  to  individuals  who  require  access. 
Although  the  security  officer  reviews  system  reports  which 
identify  user  activities,  employees  with  security  privileges  could 
change  operating  system  files  or  accidentally  remove  files.   Users 
could  read,  write,  execute,  or  delete  any  operating  system  file. 
Users  could  also  write  directly  to  devices,  allowing  users  to 
destroy  the  system  device,  destroy  user  data,  intercept  user 
passwords,  and  expose  information  to  unauthorized  individuals. 

We  believe  CIS  should  review  technical  support  employee  access 
privileges  to  identify  and  evaluate  associated  risks.  The  State  of 
Montana  Information  Technology  Advisory  Council  has  recently 
adopted  guidelines  for  establishing  and  evaluating  electronic 
access  controls.  These  guidelines  are  included  in  the  Department 
of  Administration's  state  computing  directions,  standards,  and 
guidelines  manual. 
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Recommendation  #5 

We  recommend  the  university  evaluate  and  limit  Technical 
Support  employee  access  according  to  job  duties. 


Programmer  Access  The  university  processes  several  mainframe  applications  includ- 

Should  be  Restricted  ing  Banner,  CUFS,  and  the  payroll/personnel  system.   These 

applications  process  student  information,  budget  and  accounting 
data,  and  employee  payroll  records,  respectively. 

The  Administrative  Information  Systems  (AIS)  Development 
function  of  CIS  provides  programming  services  to  campus 
departments  at  the  request  of  application  coordinators.   The 
coordinators  are  responsible  for  overall  controls  for  their  appli- 
cations.  As  we  discuss  in  Chapter  III,  we  reviewed  AIS's  proce- 
dures for  completing  requested  changes  to  application  programs. 

During  our  review,  we  determined  programmers  have 
unrestricted  and  unlogged  access  to  the  Banner,  CUFS,  and 
payroll/personnel  application  production  programs  and/or  data. 
We  found  five  programmers  have  unlimited  access  to  Banner 
production  programs  and  data.   We  observed  one  of  the  five 
programmers  bypass  Banner  screens  and  access  production  data 
management  believed  was  secured.   We  also  determined  two 
programmers  have  unlimited  access  to  CUFS  application  produc- 
tion programs  and  data.   We  observed  one  of  these  two  program- 
mers access  payroll/personnel  application  production  data. 

Industry  standards  suggest  management  restrict  programmer 
access  to  production  programs  and  data.   In  addition,  Montana 
Operations  Manual  Section  2-1210.00  states  no  one  person  should 
be  in  a  position  to  perpetrate  and  conceal  errors  and 
irregularities.   Unrestricted  access  allows  programmers  to  change 
student  enrollment  data,  grades,  accounts  receivable,  employee 
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payroll  data,  and/or  accounting  transactions  without 
authorization. 

AIS  programmers  indicated  they  require  access  to  correct  trans- 
action entry  errors  or  programming  code.   The  programmers 
noted  testing  procedures  do  not  always  detect  improper  coding. 
These  errors  generally  occur  during  production  data  processing 
and  require  programmers  to  resolve  the  error.   We  believe  the 
university  could  limit  programmer  access  to  production  programs 
and  data  without  reducing  programmer  performance.   For 
example,  programmer  access  could  be  restricted  to  times  pro- 
grammers require  access.   For  situations  where  programmer 
access  is  required,  CIS  could  provide  a  before  and  after  snapshot 
of  programming  changes  for  management's  review. 

We  discussed  our  findings  with  Computing  and  Information 
Services  employees.   We  determined  CIS  reviewed  and  limited 
programmer  access  to  Banner  production  programs  and  data 
after  we  brought  our  concerns  to  their  attention.   However,  we 
believe  the  university  should  implement  procedures  to  restrict 
programmer  access  to  all  production  programs  and  data. 


Recommendation  #6 

We  recommend  the  university  restrict  programmer  access  to 
production  programs  and  data. 
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Introduction 


The  Administrative  and  Information  Systems  Development 
Services  (AIS)  function  of  the  Computing  and  Information 
Services  provides  programming  support  to  campus  departments. 
Services  include  programming  to  modify  or  enhance  existing 
computer  applications.   AIS  also  provides  assistance  to  depart- 
ments interested  in  acquiring  new  computer  applications. 


AIS  employees  provide  ongoing  programming  assistance  for 
Banner,  CUFS,  and  the  payroll/personnel  applications.   System 
programmers  are  assigned  to  specific  applications  and  report  job 
progress  to  supervising  analysts  and  the  AIS  manager.   We  deter- 
mined AIS  has  established  policies  and  procedures  for  providing 
application  support  services  to  campus  users.   AIS  guidelines 
provide  for  documented  programming  changes  and  testing 
procedures.   In  addition,  AIS  employees  regularly  consult  with 
application  coordinators  to  facilitate  support  request  services. 

We  reviewed  services  AIS  provides  to  academic  and  administra- 
tive departments.   As  discussed  in  the  following  section,  we 
found  areas  where  AIS  could  improve  internal  operations  to 
ensure  services  meet  user  needs. 


Documentation  of 
System  Changes 


AIS  employees  use  a  checklist  to  facilitate  and  document 
programming  services  provided  to  campus  departments.   The 
checklist  documents  completed  and  remaining  services,  and  sign- 
off  by  the  system  programmer  upon  completion  of  each  task. 
Seven  of  eight  checkoff  lists  we  reviewed  were  not  authorized  by 
supervising  analysts.   We  also  noted  three  of  the  seven 
unauthorized  checkoff  lists  were  not  completed  by  system  pro- 
grammers. 


Industry  standards  suggest  management  establish  procedures  to 
ensure  system  enhancements/modifications  are  completed 
according  to  the  application  owner's  request.   Although  AIS  has 
established  policies  and  procedures  for  system  development 
services,  employees  were  not  fully  aware  of  management's 
intended  use  for  the  checklist  form. 
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We  believe  the  checklist,  in  addition  to  established  procedures, 
effectively  ensures  system  programmers  properly  complete 
change  requests.  In  addition,  when  used  as  intended,  the  check- 
list documents  the  supervising  analyst's  authorization  for 
completed  programming  changes.   Authorized  documentation 
also  enables  AIS  management  to  address  subsequent  questions 
from  the  application  owner. 


Recommendation  #7 

We  recommend  the  university  communicate  established 
procedures  for  documenting  system  programming  changes. 


Page  15 


Chapter  IV  -  Organizational  Controls 


Introduction 


Organizational  controls  provide  for  effective  operation,  structur- 
ing, and  management  of  computer  center  operations  and 
services.   Primary  functions  of  management  include  organizing, 
directing,  and  controlling  the  activities  of  an  entity  in  order  to 
accomplish  the  objectives  of  the  entity.   The  methods  manage- 
ment adopts  to  carry  out  these  functions  constitute  management's 
control  system. 


Computing  and  Information  Services'  (CIS)  primary  function  is 
to  provide  computing  service  to  campus  users.   Services  include 
installing  software  and  hardware,  problem  resolution,  mainframe 
processing,  and  personal  computer  repair  and  maintenance.   We 
reviewed  CIS's  organizational  controls  to  determine  the 
effectiveness  of  CIS  operations  and  services  provided  to  campus 
users.   We  found  CIS  operations  provide  effective  and  reliable 
mainframe  processing  service  to  computer  users. 

We  surveyed  100  university  administrative  employees  to  deter- 
mine user  satisfaction  with  services  provided  by  CIS.   We  asked 
employees  to  evaluate  CIS  services  including:   acquisition  and 
modifications  of  software;  consultation  for  requested 
programming  modifications;  responding  to  print  requests  and 
tape  mounts;  job  submission  procedures;  selecting  and  installing 
computer  hardware  and  software;  training  services;  and  mainte- 
nance and  repair  services.   Fifty-seven  employees  responded  to 
our  survey.   Overall,  we  found  university  employees  are  satisfied 
with  the  training,  application  support,  mainframe  processing, 
and  repair  and  maintenance  services  provided  by  CIS.   However, 
based  on  survey  responses  and  additional  audit  procedures,  we 
noted  areas  where  CIS  could  improve  services  to  computer  users. 
This  chapter  discusses  our  findings  and  provides  suggestions  for 
improving  overall  organizational  controls. 


User  Support  Services 
Should  be  Reviewed, 
Defined,  and  Communi- 
cated 


CIS  produces  several  computing  publications  to  inform  computer 
users  about  changes  in  technology  and  help  users  resolve 
computing  problems.  One  of  57  survey  respondents  indicated  he 
relies  on  CIS  publications  for  computing  assistance  and  direction. 
However,  several  users  (13  of  57)  indicated  they  were  not  aware 
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of  computing  services  CIS  provides  and  did  not  know  who  to 
contact  for  computing  assistance.   Survey  respondents  also 
indicated  they  requested  but  did  not  receive  assistance  from  CIS 
for  computer  purchase  or  installation.   Another  survey 
respondent  noted  CIS  employees  attempted  but  did  not  have 
technical  expertise  to  provide  hardware  and  software  installation 
assistance. 

Our  survey  results  indicate  CIS  should  review  and  revise  its 
process  for  providing  computing  support  to  campus  departments. 
We  believe  CIS  should  establish  procedures  to  ensure  computer 
specialists  are  accountable  for  support  services  they  provide  to 
campus  departments.   For  example,  CIS  could  follow  up  with 
department  users  to  identify,  reduce,  and  resolve  support 
concerns. 

We  recognize  CIS  cannot  provide  computing  support  to  all 
campus  computer  users.   However,  we  believe  the  growing  use 
of  computers  and  advances  in  technology  increase  the  need  for 
clearly  defined  support  services.   CIS  should  establish  support 
standards  and  define  services  to  assist  campus  departments  which 
currently  make  individual  decisions  regarding  computer  hard- 
ware and  software  purchases.   Defined  services  will  provide 
guidance  to  computer  users  and  promote  informed  purchases  of 
compatible  hardware  and  software. 


Recommendation  #8 

We  recommend  the  university: 

A.  Review  and  revise  user  support  procedures  to  ensure 
services  meet  user  needs. 

B.  Define  and  communicate  CIS's  available  computer 
support  services. 
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Performance  Evalua-  We  determined  CIS  employees  have  not  received  performance 

tions  evaluations  in  accordance  with  university  policy.   We  reviewed 

personnel  files  for  ten  CIS  employees,  including  computer 
specialists  who  provide  computer  assistance  to  campus  depart- 
ments.  We  found  no  employees  have  received  annual  perfor- 
mance evaluations  within  the  last  two  years.   In  addition,  six  of 
the  ten  employees  have  never  received  performance  evaluations. 
Based  on  our  testing,  we  determined  the  six  employees  have 
worked  for  the  university  from  three  to  twenty-one  years. 

University  policy  requires  supervisors  to  evaluate  and  document 
employee  work  performance  at  least  once  per  year.   Annual 
performance  evaluations  provide  the  employee  an  opportunity  to 
assess  progress  and  improve  performance.   Evaluations  also  allow 
management  to  monitor  employee  performance,  make  sugges- 
tions for  improvement,  and  support  decisions  regarding 
advancement,  demotion,  or  termination. 

CIS  management  evaluated  position  descriptions  and  completed 
performance  evaluations  for  development  programming  staff  in 
1991.  Management  noted  they  periodically  discuss  performance 
with  employees  but  do  not  necessarily  document  the  discussions 
in  accordance  with  university  policy.  We  believe  the  university 
should  establish  procedures  to  ensure  employees  are  provided 
performance  evaluations  according  to  university  policy. 


Recommendation  #9 


We  recommend  the  university  ensure  management  performs 
annual  performance  evaluations  in  accordance  with  univer- 
sity policy. 
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Billing  Procedures 


The  Computing  and  Information  Services'  (CIS)  Maintenance 
Services  function  provides  services  to  campus  departments  which 
include  personal  computer  maintenance  and  repair.   CIS  charges 
$38  per  hour  for  maintenance  services.   We  reviewed  CIS  main- 
tenance procedures  and  determined  employees  do  not  maintain 
documentation  to  support  time  charged  for  maintenance  projects. 


We  found  CIS  employees  record  hours  in  a  log  for  billing 
purposes  when  projects  exceed  two  hours.   Documentation 
includes  date,  time,  description  of  service  provided,  plus 
replacement  parts.   Employees  use  the  log  to  track  total  time  and 
parts  for  jobs  and  record  the  total  on  an  institutional  voucher 
billing  form.   However,  employees  discard  the  maintenance  log 
after  preparing  the  billing  form.   We  were  unable  to  determine  if 
service  billings  to  campus  departments  were  reasonable  and 
proper. 

Montana  Operations  Manual  section  1-0890.17  requires  agencies 
to  maintain  billing  support  documentation,  including 
documentation  which  supports  evidence  of  a  transaction,  for 
four  years.   The  service  log  provides  support  for  CIS  mainte- 
nance services  and  ensures  campus  departments  are  billed 
properly. 

The  service  log  could  provide  management  useful  information 
such  as  employee  workload  and  parts  usage.   Incomplete  docu- 
mentation could  allow  campus  departments  to  be  improperly 
billed  for  maintenance  services.   In  addition,  CIS  employees  may 
be  unable  to  explain  the  nature  of  billed  services  or  resolve 
related  questions.   We  believe  CIS  could  attach  supporting  docu- 
mentation to  the  department  billing  form. 
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Recommendation  #10 

We  recommend  the  university  retain  supporting  documenta- 
tion for  CIS  billings  in  accordance  with  state  policy. 


Summary  The  issues  we  identified  during  this  audit  indicate  the  Board  of 

Regents  should  provide  computing  operation  guidance  in  accor- 
dance with  state  law.   Section  20-25-301(16),  MCA,  which  refers 
to  section  2-15-114,  MCA,  requires  the  Board  of  Regents  to  be 
".  .  .  responsible  for  assuring  an  adequate  level  of  security  for  all 
data  and  information  technology  resources  within  the  university 
system  and  shall.  .  .(4)  ensure  internal  evaluations  of  the  security 
program  for  data  and  information  technology  resources  are 
conducted."   The  Board  of  Regents  should  establish  policies 
which  address  safeguarding  data  and  information  technology 
resources  in  the  university  system,  including  mainframe  and 
microcomputer  policies.   These  policies  should  encourage  the 
university  system  units  to  adopt  procedures  which  include,  but 
are  not  limited  to,  the  following: 


1 


Conduct  and  periodically  update  a  comprehensive  risk 
analysis  to  determine  security  threats  to  data  and  informa- 
tion resources. 

2.  Develop  and  periodically  update  written  policies  and 
procedures  which  provide  security  over  data  and  informa- 
tion resources. 

3.  Implement  appropriate  cost-effective  safeguards  to  reduce, 
eliminate,  or  recover  from  identified  risks  to  data  and 
information  resources. 

4.  Perform  periodic  internal  audits  and  evaluations  of  the 
security  program  for  data  and  information  resources. 

Our  findings  in  this  report  address:   incomplete  contingency 
planning;  electronic  access  to  operating  system  and  application 
software;  undefined  computing  support  services;  unsupported 
department  billings  for  repair  and  maintenance;  and  no 
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procedures  to  ensure  employees  receive  annual  performance 
evaluations.   The  University  of  Montana  provided  internal 
policies  and  procedures  for  the  Administrative  Information 
Systems  function  but  did  not  provide  overall  computing  policies 
and  procedures. 

The  university  should  establish  formal  policies  and  procedures 
for  university  computing.   Our  audit  results  indicate  the  univer- 
sity should  establish  internal  computing  policies  and  procedures 
which  provide  for:   defined  support  services  including  equip- 
ment acquisition,  installation,  and  problem  resolution;  annual 
performance  evaluations;  and  overall  organizational  operating 
policies  and  procedures. 

Growth  of  personal  computer  use,  changing  technology,  and 
limited  financial  resources  increase  the  need  to  establish  long- 
term  computing  plans  and  objectives.  The  University  of 
Montana  completed  an  Information  Technology  plan  in  April 
1992  to  establish  goals  and  objectives  regarding  university 
computing  needs.   The  plan  is  intended  to  keep  the  university 
current  with  information  technology  and  improve  campus-wide 
computing  functions. 

In  January  1994  the  Board  of  Regents  established  procedures  for 
restructuring  the  university  system.   The  restructuring  plan 
provides  for  consolidating  The  University  of  Montana  with  the 
Butte,  Missoula  and  Helena  Vocational-Technical  Centers  and 
the  College  of  Mineral  Science  and  Technology  and  Western 
Montana  College.   We  believe  the  consolidation  could  allow  the 
university  system  units  to  combine  information  technology 
resources,  establish  consistent  policies  and  procedures,  improve 
computing  services,  and  achieve  long-term  computing  goals  and 
objectives.   Formal  computing  policies  and  procedures  will  assist 
The  University  of  Montana  in  achieving  achieve  computing  goals 
and  ensuring  user  needs  are  met. 
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Recommendation  #11 

We  recommend  the  Board  of  Regents  develop  and  imple- 
ment formal  policies  which  address  safeguarding  data  and 
information  technology  resources  in  accordance  with  state 
law. 
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The  University  of 

Montana 


9    June    1994 

Mr.  Scott  A.  Seacat 

Legislative  Auditor 

Office  of  the  Legislative  Auditor 

Room  135,  State  Capitol 

Helena,  MT   59620 

Dear  Mr.  Seacat: 


Office  of  the  President 
The  University  of  Montana 
Missoula,  Montana  59812-1291 

(406)  243-2311,  FAX  (406)  243-2797 
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I  have  enclosed  The  University  of  Montana's  response  to  the 
recommendations  of  the  EDP  Audit  Report.  In  general,  we  concur 
with  the  recommendations  contained  in  the  report. 

Several  recommendations  require  minor  adjustments  or  clarifications 
of  existing  procedures  and  policies.  We  will  complete  the 
corrective  actions  for  these  by  summer's  end.  The  remaining 
recommendations  are  more  complex  and  we  will  address  these  issues 
as  part  of  the  changes  brought  about  by  the  restructuring  plan. 

I  can  assure  you  that  The  University  of  Montana  has  a  strong 
commitment  to  resolution  of  the  issues  and  concerns  reported  in  the 
EDP  Audit.  We  developed  an  Action  Plan  outlining  the  corrective 
steps  to  address  each  recommendation  in  the  report. 

We  value  the  care  and  enthusiastic  spirit  of  the  audit  team  and 
thanx  all  those  involved  for  their  assistance. 


&AjuLX-*iXri, 


Enclosure 


c:    J.  Baker,  Commissioner  of  Higher  Education 
K.  Burgmeier,  Director,  Internal  Audit 
J.  Todd,  Vice  President  for  Administration  and  Finance 
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An  Equal  Opportunity  University 


The  University  of  Montana 

Response  to  the  Report  by  the 
Office  of  the  Legislative  Auditor 


RECOMMENDATION  #1 

WE  RECOMMEND  THE  UNIVERSITY  ESTABLISH,  TEST,  AND  DOCUMENT  A  FORMAL 
DISASTER  RECOVERY  PLAN. 

RESPONSE: 

THE  UNIVERSITY  CONCURS  WITH  THE  RECOMMENDATION.  We  agree  we 
must  formalize  and  revise  our  computing  center  disaster 
recovery  plans.  We  began  discussions  last  fall  on  the 
development  of  such  a  plan,  but  once  the  restructuring  plans 
were  adopted  by  the  Board  of  Regents,  we  realized  additional 
opportunities  which  we  are  currently  exploring.  A  recently 
formed  task  force  is  developing  a  draft  plan  for  campus  review 
in  early  Fall  1994.  Once  the  review  process  is  completed, 
contingent  upon  available  resources,  we  will  appropriately 
revise,  test,  and  implement  the  plan. 

One  potential  component  of  the  plan  is  to  locate  a  remote 
computing  facility  somewhere  other  than  on  the  main  Missoula 
campus.  This  facility  could  be  connected  to  the  main  campus 
with  a  high-speed  network.  We  recently  acquired  some  of  the 
necessary  components  for  this  facility. 

RECOMMENDATION  #2 

WE  RECOMMEND  THE  UNIVERSITY  EVALUATE  PURCHASING  AN  ALTERNATIVE 
POWER  BACKUP  SYSTEM  FOR  THE  COMPUTING  AND  INFORMATION  SERVICES 
COMPUTING  CENTER. 

RESPONSE: 

THE  UNIVERSITY  CONCURS  WITH  THE  RECOMMENDATION.  An 
uninterruptable  power  supply  (UPS)  remains  to  be  a  funding 
issue.  We  formulated  a  plan  which  identifies  critical 
locations  around  campus  where  it  is  important  to  ensure 
uninterrupted  computing  and  networking  capabilities. 
Periodically  a  cost  analysis  is  performed,  whereby  we  weigh 
the  cost  of  lost  processing  time  to  the  cost  of  acquiring  an 
UPS.  We  will  again  review  the  plan  and  update  the  cost 
analysis.  We  will  consider  UPS  purchases  in  Fiscal  Year  1996 
budget  allocations. 

However,  we  do  not  agree  with  the  assertion  in  the  audit 
report  that  the  University  could  sustain  computer  application 
processing  errors.  In  the  event  of  a  power  failure,  the 
computer  power  conditioner  and  self-contained  backup  power 
supply  systems  fully  protect  the  hardware  and  programs, 
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including  data  files,  from  damage.  An  UPS  has  no  effect  upon 
the  reliability  of  processing  results  or  upon  the  efficient 
restoration  of  computing  operations. 

RECOMMENDATION  #3 

WE  RECOMMEND  THE  UNIVERSITY: 

A.  IMPLEMENT  COST-EFFECTIVE  CONTROLS  TO  PREVENT  OR  LIMIT  DAMAGE 
TO  COMPUTER  CENTER  EQUIPMENT. 

RESPONSE: 

THE  UNIVERSITY  CONCURS  WITH  THE  RECOMMENDATION.  We  will  take 
the  steps  necessary  to  ensure  training  is  provided  to 
appropriate  computer  center  personnel  on  use  of  the  fire 
extinguisher.  We  will  also  reconnect  the  electronic  device 
which  monitors  and  reports  room  temperature,  power  and  noise 
irregularities.  Implementation  of  both  corrective  actions 
will  occur  by  30  June  1994. 

B.  REMOVE  AND  PROPERLY  DISPOSE  OF  THE  COMPUTER  CENTER  HALON 
TANKS. 

RESPONSE: 

THE  UNIVERSITY  CONCURS  WITH  THE  RECOMMENDATION.  We  will 
research  alternative  fire  protection  systems.  If  the  results 
of  the  evaluation  indicate  we  cannot  effectively  utilize  the 
halon  tanks,  we  will  appropriately  dispose  of  them.  Project 
completion  date  is  1  August  1994. 

RECOMMENDATION  #4 

WE  RECOMMEND  THE  UNIVERSITY  ESTABLISH  POLICIES  AND  PROCEDURES  TO 
ENSURE  BACKUP  INFORMATION  IS  CONSISTENTLY  STORED  OFF-SITE  IN  A 
SECURE  LOCATION. 

RESPONSE: 

THE  UNIVERSITY  CONCURS  WITH  THE  RECOMMENDATION.  As  the  audit 
report  indicates,  the  University  initiated  steps  during  the 
course  of  the  audit  to  properly  control  the  room  temperature 
for  the  off -site  backup  facilities.  While  University 
procedures  do  address  off -site  backup,  we  will  clarify  this 
policy  by  1  July  1994. 

RECOMMENDATION  #5 

WE  RECOMMEND  THE  UNIVERSITY  EVALUATE  AND  LIMIT  TECHNICAL  SUPPORT 
EMPLOYEE  ACCESS  ACCORDING  TO  JOB  DUTIES. 
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RESPONSE: 

THE  UNIVERSITY  PARTIALLY  CONCURS  WITH  THE  RECOMMENDATION.  We 
will  review  current  position  descriptions  and  modify,  where 
necessary,  either  access  or  job  duties.  The  University  will 
also  review  systems  which  may  provide  additional  controls  and 
interim  access  on  an  as-needed  basis.  However,  the  University 
believes  the  present  method  of  assigning  security  access 
privileges  provides  sufficient  controls  and  additional 
verifications.  Currently,  security  responsibilities  and 
duties  are  allocated  to  several  individuals,  therefore,  no 
single  employee  is  in  position  to  compromise  the  system 
security  without  detection  by  at  least  one  other  employee. 

The  audit  report  implies  that  operating  system  files  can  be 
restricted  on  a  limited  basis,  for  instance  read  access  only. 
Generally,  VAX/VMS  operating  system  access  privileges  cannot 
be  granted  on  a  file-specific  basis.  The  technical  support 
specialists  are  assigned  duties  which  require  full  access  to 
the  VAX/VMS  operating  system  as  well  as  their  specific 
areas/application.  Furthermore,  with  our  present  method  of 
assigning  security  access  to  several  individuals,  technical 
support  specialists  cannot  write,  execute,  or  delete  operating 
system  files  without  detection  by  another  employee  or  the 
system. 

RECOMMENDATION  #6 

WE   RECOMMEND   THE   UNIVERSITY   RESTRICT   PROGRAMMER   ACCESS   TO 
PRODUCTION  PROGRAMS  AND  DATA. 

RESPONSE: 

THE  UNIVERSITY  CONCURS  WITH  THE  RECOMMENDATION.  We  will 
review  programmer  access  to  production  programs  and  data 
including  an  evaluation  of  current  access  privileges  and 
modification  of  those  privileges,  where  applicable.  The 
review  will  consider  the  security  needs  necessary  to  ensure 
continued  service  to  the  University  community  without 
compromising  standards  and  controls.  The  audit  report  notes 
we  did  in  fact  modify  programmer  access  privileges  for  the 
Banner  application.  We  will  utilize  the  same  review  process 
for  all  applications.  The  review  completion  date  is  1  October 
1994. 

RECOMMENDATION  #7 

WE  RECOMMEND  THE  UNIVERSITY  COMMUNICATE  ESTABLISHED  PROCEDURES  FOR 
DOCUMENTING  SYSTEM  PROGRAMMING  CHANGES. 
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RESPONSE: 

THE  UNIVERSITY  CONCURS  WITH  THE  RECOMMENDATION.  The 
programming  personnel  recently  received  a  memo  detailing  the 
revisions  of  procedures.  Included  in  that  memo  was  the 
documentation  of  and  utilization  of  the  programming  changes 
checklist. 

RECOMMENDATION  #8 

WE  RECOMMEND  THE  UNIVERSITY: 

A.  REVIEW  AND  REVISE  USER  SUPPORT  PROCEDURES  TO  ENSURE  SERVICES 
MEET  USER  NEEDS. 

RESPONSE: 

THE  UNIVERSITY  PARTIALLY  CONCURS  WITH  THE  RECOMMENDATION.  The 
University  is  presently  planning  a  reorganization  of  all  its 
information  technology  services,  including  Computing  and 
Information  Services  (CIS) .  This  reorganization  and  changes 
resulting  from  restructuring  may  also  redefine  user  services 
and  procedures  provided  by  CIS.  While  CIS  provides  support  to 
campus  users  in  many  capacities  now,  we  will  review  how  this 
information  is  communicated  to  campus  users  with  an  emphasis 
on  clarifying  support  services  available. 

B.  DEFINE   AND   COMMUNICATE   CIS'   AVAILABLE   COMPUTER   SUPPORT 
SERVICES. 

RESPONSE: 

THE  UNIVERSITY  PARTIALLY  CONCURS  WITH  THE  RECOMMENDATION.  As 
the  audit  report  notes,  CIS  provides  several  publications 
which  communicate  support  services  and  standards.  We  believe 
the  University  support  services  and  standards  are  defined  and 
communicated  to  campus.  In  an  April  1994  publication  this 
information  was  again  provided  to  campus  users.  With  the 
changes  in  standards,  applications,  and  systems  occurring  the 
next  two  years,  we  will  continue  to  inform  the  campus 
community. 

RECOMMENDATION  #9 

WE  RECOMMEND  THE  UNIVERSITY  ENSURE  MANAGEMENT  PERFORMS  ANNUAL 
PERFORMANCE  EVALUATIONS  IN  ACCORDANCE  WITH  UNIVERSITY  POLICY. 

RESPONSE: 

THE  UNIVERSITY  CONCURS  WITH  THE  RECOMMENDATION.  The 
University  will  ensure  that  CIS  management  consistently 
follows  the  University's  personnel  policy  for  annual 
performance  evaluations.  CIS  management  notified  departmental 
managers  and  supervisors  on  11  May  1994  of  the  need  to  conduct 
formal  performance  evaluations  in  accordance  with  established 
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policies.  A  review  of  all  CIS  position  descriptions  and 
performance  evaluations  will  occur  by  1  July  1994. 

RECOMMENDATION  #10 

WE  RECOMMEND  THE  UNIVERSITY  RETAIN  SUPPORTING  DOCUMENTATION  FOR  CIS 
BILLINGS  IN  ACCORDANCE  WITH  STATE  POLICY. 

RESPONSE: 

THE  UNIVERSITY  CONCURS  WITH  THE  RECOMMENDATION.  Effective 
fiscal  year  1995,  the  University  will  retain  all  supporting 
documentation  for  Electronic  Maintenance  Center  services  in 
accordance  with  state  policy. 
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June  10,  1994 


Mr.  Rich  McRae 

Senior  EDP  Auditor 

Office  of  the  Legislative  Auditor 

State  Capitol 

Helena,  MT  59620 

Dear  Mr.  McRae: 

Enclosed  is  the  University  System's  response  to  recommendation  #1 1  contained  in  the 
University  of  Montana's  EDP  Audit  Report  dated  June  4,  1994.  We  appreciate  the 
opportunity  to  respond  to  this  recommendation. 


Sincerely, 

Laurie  O.  Neils 

Director  of  Budget  and  Accounting 


S.f&Jk 


c:  Rod  Sundsted 


enclosures 
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RECOMMENDATION  #11 

We  recommend  the  Board  of  Regents  develop  and  implement  formal  policies  which 
address  safeguarding  data  and  information  technology  resources  in  accordance  with  state 
law. 

AGENCY  RESPONSE: 
Concur. 

Neither  the  Board  of  Regents  or  the  Office  of  the  Commissioner  of  Higher  Education  has 
a  currently  authorized  position  devoted  to  tasks  relating  to  information  technology,  nor 
does  the  current  staff  have  the  technical  expertise  to  provide  the  Board  of  Regents  with 
policy  recommendations  related  to  information  technology.  The  Commissioner  of  Higher 
Education  and  the  Board  of  Regents  are  committed  to  a  sharing  and  enhancement  of 
information  technology  and  resources  in  the  restructured  University  System.  The 
Commissioner  plans  to  reallocate  a  currently  vacant  position  within  his  office  to  fill  the 
need  for  a  technical  expert  in  the  data  processing  and  information  technology  area.  It  is 
his  hope  that  during  Fiscal  Year  1995,  this  professional  will  be  hired  and  may  begin  to 
provide  the  Board  with  appropriate  policy  advice. 
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